Tuesday, October 02, 2007

Windows Server 2008 Core: Read-Only DC

New in Windows Server 2008 is the option to create a read-only domain controller (RODC). To deploy an RODC, the domain controller that holds the PDC emulator operations master role (also known as flexible single master operations or FSMO) for the domain must be running Windows Server 2008. In addition, the functional level for the forest must be Windows Server 2003.

Because the administration of a Server Core is done from the command line only (at least initially), dcpromo must be run with a host of options to promote the Server Core installation to a domain controller (read-only or standard). From the Windows Server 2008 Technical Library, here are the command line options for dcpromo. The options can optionally be specified in an answer file.

So, to create a RODC on a Server Core installation without also installing DNS, the command line would be:

dcpromo /unattend /ReplicaDomainDNSName:<FQDN_of_Domain> /ReplicaOrNewDomain:ReadOnlyReplica /SiteName:<site_name> /InstallDNS:No /DatabasePath:"C:\NTDS" /LogPath:"C:\NTDS" /SysVolPath:"C:\SYSVOL"

Obviously, the paths for the database, logs, and sysvol would need to be changed to the appropriate location for your environment. The bulk of the parameters are pretty self-explanatory, but two need attention called out. First, the /ReplicaOrNewDomain:ReadOnlyReplica parameter is what defines the DC as a RODC. Using /ReplicaOrNewDomain:Replica creates a standard DC in an existing domain. Using /ReplicaOrNewDomain:NewDomain should be pretty obvious, but it does introduce a slew of different required parameters and options. Also, when creating a RODC you must specify the site name using the /SiteName parameter. I’m not sure, but I would assume this is for the enabling of universal group membership caching. So, if you haven’t figured it out, you’ll need to create the site for the RODC in AD DS before you promote the server to a RODC.

Other handy parameters:

  • /ConfirmGC:No – Do not configure the server as a GC (Default is Yes).
  • /CriticalReplicationOnly:Yes – This forces dcpromo to only replicate the critical directory information before rebooting, postpoting the full replication of the remaining AD DS information until after a reboot; can be useful for large directories to speed up the dcpromo process (Default is No).
  • /ReplicationSourceDC:<FQDN_of_DC> – This forces the replication operation to use a specific domain controller.

No comments: